local host (domain) name lookup from outside LAN?
-
I have some hosts that I would like to be able to reach from outside my network. I have both IPv4 and IPv6 working internally as well as routable over the WAN using Godaddy DNS. Inside my network I use DNS forwarder so that myserver.mydomain.com resolves to myserver IP. Outside my network, I can use mydomain.com, but myserver.mydomain.com isn't recognized.
What is the right way to implement this? I think I can add SRV records in Godaddy for the prefix to mydomain.com, although I tried this for ftp.mydomain.com without success. Is there a way that pfSense can DNS requests from the WAN? I'm new to pfSense and DNS, so please don't assume too much about what I already know. Thanks!
-
Do you have public IPv4 addresses? If not, you'll be using RFC 1918 addresses behind it, which should never be on a public DNS. I have an external DNS, as well as pfSense. I use the pfSense DNS for everything on my network. All my IPv6 devices have global addresses, which can be reached for elsewhere. All those are on the public DNS, along with an IPv4 record that points to my firewall. I then have to use port forwarding to reach the appropriate device.
-
@JKnott said in local host (domain) name lookup from outside LAN?:
Do you have public IPv4 addresses? If not, you'll be using RFC 1918 addresses behind it, which should never be on a public DNS. I have an external DNS, as well as pfSense. I use the pfSense DNS for everything on my network. All my IPv6 devices have global addresses, which can be reached for elsewhere. All those are on the public DNS, along with an IPv4 record that points to my firewall. I then have to use port forwarding to reach the appropriate device.
I have the same setup as you; for mydomain.com IPv4 points to the firewall, IPv6 points to the server behind the firewall.
But local DNS lookup finds myserver.mydomain.com, whereas external DNS lookup only finds mydomain.com.
-
@lifespeed said in local host (domain) name lookup from outside LAN?:
But local DNS lookup finds myserver.mydomain.com, whereas external DNS lookup only finds mydomain.com.
Do you have each server listed in the external DNS? Unless you have an authoritative server, you cannot have the external DNS refer to your own DNS.
-
@lifespeed said in local host (domain) name lookup from outside LAN?:
I have the
You'd add multiple A records or cnames against your WAN IP address on your Godaddy account.
You'd then have to NAT on your pfSense router to point the incoming ports to the correct server on the local LAN.
-
@lifespeed said in local host (domain) name lookup from outside LAN?:
But local DNS lookup finds myserver.mydomain.com, whereas external DNS lookup only finds mydomain.com.
Why? Why not add your myserver as simple A record to your mydomain.com? Is it a dynamic IP? If so can GoDaddys DNS be accessed via API? Then just set it up like any other DynDNS and let it put the WAN IP in myserver's A record in your domain. Don't really see the problem ;)
-
@JKnott said in local host (domain) name lookup from outside LAN?:
Do you have each server listed in the external DNS? Unless you have an authoritative server, you cannot have the external DNS refer to your own DNS.
I guess the answer is I can't use my pfSense DNS to reference hosts behind my LAN for external access. I'll take another crack at GoDaddy SRV record configuration, I'm not sure why I didn't succeed last time.
-
@JeGr said in local host (domain) name lookup from outside LAN?:
@lifespeed said in local host (domain) name lookup from outside LAN?:
But local DNS lookup finds myserver.mydomain.com, whereas external DNS lookup only finds mydomain.com.
Why? Why not add your myserver as simple A record to your mydomain.com? Is it a dynamic IP? If so can GoDaddys DNS be accessed via API? Then just set it up like any other DynDNS and let it put the WAN IP in myserver's A record in your domain. Don't really see the problem ;)
The problem is I already tried configuring Godaddy SRV records to point to a server behind pfSense, and it didn't work. I used myserver subdomain of mydomain.com. pfSense firewall works, and I can access the server if I specify the port; mydomain.com:21 or mydomain.com:8081
-
Its not SRV records, its A records or CNAME you need to look at.
https://en.wikipedia.org/wiki/SRV_record
https://en.wikipedia.org/wiki/List_of_DNS_record_types
-
@NogBadTheBad said in local host (domain) name lookup from outside LAN?:
Its not SRV records, its A records or CNAME you need to look at.
https://en.wikipedia.org/wiki/SRV_record
https://en.wikipedia.org/wiki/List_of_DNS_record_types
OK, I'll revisit this tonight. I guess I should make both A (IPv4) and AAAA (IPv6) records? The A record would specify subdomain, a port for NAT and the mydomain.com, while the AAAA would specify subdomain, port and mydomain.com?
I do currently have both A and AAAA records, without subdomains. Mydomain.com for IPv4 ports to my WAN IP, while mydomain.com IPv6 points to the server on the LAN directly.
After reading about A and SRV records, I do still think the correct approach is an SRV record specifying the subdomain that points to a port. Or do I need an A record for the subdomain, and an SRV record to point to the appropriate port for the service associated with the subdomain?
-
@lifespeed said in local host (domain) name lookup from outside LAN?:
OK, I'll revisit this tonight. I guess I should make both A (IPv4) and AAAA (IPv6) records? The A record would specify subdomain, a port for NAT and the mydomain.com, while the AAAA would specify subdomain, port and mydomain.com?
No. A records are for IPv4 addresses and AAAA for IPv6. You'd create an A record for every IPv4 address that can be reached directly, not hiding behind NAT. You'd also create AAAA records for IPv6 addresses, but you don't have NAT getting in the way. Also, a DNS server returns only an IP address to match the host name. It does not return port numbers. If you have NAT on IPv4, you could create an A record for the address and then rely on port forwarding to get to the correct local device. One other possibility is that for http & https, the headers can be read to determine what the original URL was and then forward accordingly.
Again, unless you have your own authoritative DNS, the public DNS records must contain the FQDN for each server on your network. It cannot break down between domain and subdomain.